To use Cyware you must have cookies enabled. By Registering or Signing in, you agree to our Terms and Privacy Policy. You can also signup using Google Account. We will not use your credentials to import contacts or post anything on your account without your permission.For more info, please see Login FAQ.

Security researchers have discovered a critical, widespread archive extraction vulnerability dubbed “Zip Slip” that allows attackers to remotely overwrite arbitrary files on the victim’s system and invoke them to achieve remote command execution. The vulnerability lies in the way the way coders, plugins and libraries implement the process of decompressing an archived file.

Zip Slip affects thousands of projects including those from HP, Amazon, Apache, Pivotal and more. The vulnerability has been found in multiple ecosystems including JavaScript, .NET, Ruby and Go. However, it is particularly prevalent in Java which does not have a central library that offers high level processing of archive files.

“The lack of such a library led to vulnerable code snippets being handcrafted and shared among developer communities such as StackOverflow,” researchers said. “The vulnerability is exploited using a specially crafted archive that holds directory traversal file names (e.g. ../../evil.sh)... The two parts required to exploit this vulnerability is a malicious archive and extraction code that does not perform validation checking.”

“Zip Slip is a form of directory traversal that can be exploited by extracting files from an archive. The premise of the directory traversal vulnerability is that an attacker can gain access to parts of the file system outside of the target folder in which they should reside,” researchers explained. This could allow the attacker to replace or overwrite important system files, such as OS libraries or server configuration files, allowing for the malicious code to be executed. The exploit could also result in a system shutdown as well.

Furthermore, some of the code shared on StackOverflow were also found to be vulnerable to Zip Slip, leaving many desktops, mobile, or web apps written in Java vulnerable as well.

Victims will have to search their projects for the vulnerable code noted the researchers.

Snyk researchers discovered the flaw in April and have demonstrated the exploit in their proof-of-concept video. Affected library developers have since fixed the issue. They have also released a detailed technical paper for developers to better understand the flaw and test their own apps for it.

Application developers have been advised to update their libraries to a patched version.Snyk has also published a list on GitHub of affected processing libraries and projects that have been affected, fixed and deemed not exploitable.

Who we are

Cyware is a first-of-its-kind, comprehensive cyber situational awareness platform, designed to help you stay informed about the latest happenings in the cyber world with expertly curated news stories and updates.

Our Technology

Let IBM's Watson Find the Right News For You

The cyber threat landscape is changing rapidly, and cybersecurity news has claimed its spot on the front pages in recent months. It's not easy to find the right information from tens of thousands of cyber news articles and feeds published every day. Our machine learning based curation engine brings you the most relevant cyber content based on your needs.

Receive Daily Cyber News in Your Inbox

From the latest cyber security trends and innovations to new malware, vulnerabilities and threat intelligence, we bring you the most up-to date and relevant cyber updates and news alerts.